Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2025-9906

Published Unknown
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2025-9906. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
0.0
/10
Not Available
Base Score Metrics
Exploitability: N/A Impact: N/A

Attack Vector Metrics

Attack Vector
Not Available
Attack Complexity
Not Available
Privileges Required
Not Available
User Interaction
Not Available
Scope
Not Available

Impact Metrics

Confidentiality
Not Available
Integrity
Not Available
Availability
Not Available

Description

The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True.

One can create a specially crafted .keras model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed. This is achieved by crafting a special config.json (a file within the .keras archive) that will invoke keras.config.enable_unsafe_deserialization() to disable safe mode. Once safe mode is disable, one can use the Lambda layer feature of keras, which allows arbitrary Python code in the form of pickled code. Both can appear in the same archive. Simply the keras.config.enable_unsafe_deserialization() needs to appear first in the archive and the Lambda with arbitrary code needs to be second.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Unknown Vendor

Unknown Product

EU Vulnerability Database

Monitored by ENISA for EU cybersecurity

EU Coordination

EU Coordinated

Exploitation Status

No Known Exploitation

EUVD ID

View on ENISA

ENISA Analysis

Malicious code in bioql (PyPI)

Affected Products (ENISA)

keras-team
keras

ENISA Scoring

CVSS Score (4.0)

8.6
/10
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:A

EPSS Score

0.060
probability

ENISA References

https://nvd.nist.gov/vuln/detail/CVE-2025-9906
https://github.com/keras-team/keras/pull/21429
https://github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858
https://github.com/keras-team/keras
https://github.com/keras-team/keras/releases/tag/v3.11.0
https://osv.dev/vulnerability/CVE-2025-9906

Data provided by ENISA EU Vulnerability Database. Last updated: October 3, 2025

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Keras is vulnerable to Deserialization of Untrusted Data

GHSA-36fq-jgmw-4r9c

Advisory Details

### Arbitrary Code Execution in Keras Keras versions prior to 3.11.0 allow for arbitrary code execution when loading a crafted `.keras` model archive, even when `safe_mode=True`. The issue arises because the archive’s `config.json` is parsed before layer deserialization. This can invoke `keras.config.enable_unsafe_deserialization()`, effectively disabling safe mode from within the loading process itself. An attacker can place this call first in the archive and then include a `Lambda` layer whose function is deserialized from a pickle, leading to the execution of attacker-controlled Python code as soon as a victim loads the model file. Exploitation requires a user to open an untrusted model; no additional privileges are needed. The fix in version 3.11.0 enforces safe-mode semantics *before* reading any user-controlled configuration and prevents the toggling of unsafe deserialization via the config file. **Affected versions:** < 3.11.0 **Patched version:** 3.11.0 It is recommended to upgrade to version 3.11.0 or later and to avoid opening untrusted model files.

Affected Packages

PyPI keras
ECOSYSTEM: ≥0 <3.11.0

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-9906
WEB https://github.com/keras-team/keras/pull/21429
WEB https://github.com/keras-team/keras/commit/713172ab56b864e59e2aa79b1a51b0e728bba858
PACKAGE https://github.com/keras-team/keras
WEB https://github.com/keras-team/keras/releases/tag/v3.11.0
WEB https://osv.dev/vulnerability/CVE-2025-9906

Advisory provided by GitHub Security Advisory Database. Published: September 19, 2025, Modified: September 23, 2025

Published: Unknown
Last Modified: Unknown
Copied to clipboard!